When it comes down to it, there are a few main things that lead up to problems and issues with WordPress websites, most of them come down to the same cause, the user.
Let me explain.
The single biggest threat to a WordPress websites is the user. The website owner. The person installing plugins and themes, making changes and using weak passwords to login with.
This article will help you identify ways to reduce the risk of owning and operating a WordPress website.
Below I will explain each of these items with recommend resources and solutions.
1. Great Hosting
The hosting service you use, is the foundation of your website. If you use cheap hosting providers that don’t make security a priority, but prefer to focus on how many sites they can fit on one server, you’re setting yourself up for failure.
What to look for when picking your host?
- Managed WordPress Products
- VPS / Cloud Solutions
- Level of Support
- Automation (backups / updates)
- Built in CDN / Caching
I want to explain each of these items quickly.
- Managed WordPress Products:
Most hosting companies have started offering an “Managed WordPress” hosting solution.
However, these are not all created equally. Some are very basic in that they provide an environment with WordPress pre-installed, and that is the extent of it.
A managed WordPress hosting solution should also include, support for WordPress, backups, security, performance advantages (i.e CDN), pretty much all things listed above in one package.
Recommended Managed WordPress hosting providers:
- VPS / Cloud Solutions:
If you’re not sure what this is, read this article, but simply put, these are types of hosting platform. Each is a dedicated environment that offers better security and resources.
Better security because the hosting accounts within these solutions are contained environments, meaning your site is not impacted by anther site on the same hosting server.
The same applies to the resources. They are contained and dedicated to each user. If someone is hosting on the same parent server as your VPS or Cloud account, and they start to max out or require more resources to run their site or handle their traffic, it will not slow your site or limit your visitors.
Each of the hosting options listed above offer either a VPS or Cloud based hosting platform for their Managed WordPress solutions.
If you want a non-managed WordPress VPS / Cloud solutions I recommend:
- Level of Support:
This is very important, especially if you’re a do-it-yourselfer that doesn’t have much technical experience or know-how.
You will want to use a Managed WordPress hosting solution that also offers expert support for WordPress and not just their hosting platform.
This is not very common, even in the world of WordPress hosting. You want to be able to contact your hosting support and ask questions without being told, “that is out of scope”, or “we don’t support WordPress or your website”, and have them try to sell you a new service.
There is two parts to security, but both are important and your hosting provider should include or at the very least offer both parts.
The first part is the security at the hosting level. Ensuring that the hosting provider is using top grade server security and doing everything possible to protect from threats that might breach the platform, or other users on the platform.
As mentioned above, a VPS or Cloud based solution helps prevent user to user spread of hacks and malware because each environment (account) is containerized and isolated.
If there is a breach, the hosting provider should do everything possible to fix the results of that breach. Even if that means they have to recover your website.
The second part of security is what I call, one site, or site level security. This is where you have the ability to harden the security around your individual website. This included things like; file protection, firewalls, brutforce attack blocking, and much more.
With a Managed WordPress platform, a lot of this should be built in. Other aspects should be available to you with a simple upgrade or activation of a recommend plugin.
iThemes combines server level security with their amazing Security Pro plugin.
This includes a couple important things that will make managing your site easier and less stressful.
- Backups: You want to ensure your hosting provider is offering a backups solution. Make sure you know where are they storing those backups…?
If they store the backups in a folder in the same location of your website files, that is NOT ideal! A hacker could delete all your backups, a server crash could also cost you all your backups. They should be stored on a secure server separate from your site server.
- Updates: Do they offer an automated update solution for WordPress core (at the minimum). This means that every time there is a new version of the WordPress software they are automatically updating your site.
It use to be important that they also offered an automated plugin update solution too, however since WordPress 5.5, that options has been added to core.
However, I am still more confident in services like, WP Engines Smart Plugin Manager for handling important task like this.
- Build in CDN / Caching:
In this microwave age of I want it now, you need your site to load quickly and without delay. That is way this feature has become more common among Managed WordPress solutions.
There are plugins that add caching to your site, however, from my experience, these plugins, when not installed and configured correctly, tend to be a source of problems for WordPress site. Which is why I recommend you use a host that as these solutions built in at the server level.
More and more, WordPress core is adding performance based features like lazy image loading, and solutions like Jetpack offer a ton of performance solutions like leveraging the powerful WP.com CND for images and video.
2. Quality Plugins & Themes
There are tens of thousands of plugins and themes available for download and they are not all created equally. Some are even created with the intention of installing malware on your site.
Others are developed to make a few dollars but are abandoned, leaving you with an out of date, vulnerable software that eventual breaks and has to be replaced.
You want to make sure you’re using plugins and themes developed by credible sources.
Avoid plugins with these warning flags:
- Yellow Banner: “This plugin hasn’t been tested with the latest X major releases of WordPress.”
- Anything that has 9+ months from the last update
Avoid themes from these places:
I am probably biased with this one. But we have seen more issues with sites using themes purchased from ThemeForest than any other theme repositories.
These themes, more often than not, tend to be poorly developed, bloated, and require a ton of plugins.
3. Update When Needed
The update notifications aren’t a suggestion! It is important that you update the plugins, themes, and WordPress itself when needed.
Not updating is the quickest way to start experiencing problems with your WordPress website.
Updates are not just about new features and functionality. In fact that is the less likely reason a developer pushes an update.
Updates are primarily to fix problems with the software, a.k.a bugs, and to patch what are called vulnerabilities. Weakness in the code that make that software susceptible to hackers.
PRO TIP: Backup before updating anything!! See below for more on backups!
4. Strong Security
I mentioned security in the hosting section, however, there are things you, as the user can do to further your protection.
- Use Strong Passwords and Usernames
It is important that you, along with a strong password, also use a strong username.
- Never use Admin
- Never use your name
- Never use your site name
You should also make a habit of changing your password, the security world would recommend every 3 months.
- Use On-site Security
This I cover in depth in the Hosting section above and below with several recommend solutions for securing your site.
Here are a couple plugins you can use to help add site level security to your website easily!
- Delete Unused Plugins & Themes
Even plugins that are inactive can be a security threat. Often people leave unused plugins and themes installed and don’t update them. Delete all unused plugins and themes.
PRO TIP: Leave the latest Twenty something theme. I discuss that more here.
- Delete Unused User Accounts
If you have any user accounts you created for employees or freelancers or support services that you no longer need, delete them. Creating users is easy to do, and not worth the risk for those, “just in case you need it again” moments.
PRO TIP: Make sure you assign all content to your user when deleting users.
- Mark and Delete SPAM Comments
The best way to manage SPAM comments is with Akismet. This is a plugin developed and maintained by Automattic.
You can get the plugin for free. In fact it should be installed with WordPress by default. Without an API key, you will have to manually mark and delete SPAM comments. If you pay $15/yr for an API key (or have a paid subscription for Jetpack) you can have SPAM comments managed for you automatically.
5. Backup Often
As mentioned, if you’re using a Managed WordPress hosting solution, your provider is likely doing daily backups automatically (or should be!), and some give you the option to manually trigger backups.
In the case of backups, redundancy is a good thing. Meaning, even if you’re using a hosting solution that does backups for you, you should also have your own backup system in place.
And most importantly these backs should be stored in a secure location away from your website hosting.
These are my top three recommendations for easy and secure backup solutions.
6. Get Help … When Needed
If you’re not an expert, articles like these can be helpful, but often they are not the end result. You still may need help and when that is the case ask for it.
There are a couple source I recommend for good tutorials and training on how to use WordPress and other popular plugins.
- WP101 (courses include the following)
- Gutenberg (block editor)
- Ninja Forms
- WP Rocket
If you followed my advice in step one above and started with a strong hosting provider as your foundation, their support team may be able to help.
If NOT…I recommend these services:
The Wrap Up
If you can make these 6 tips part of your WordPress best practices for maintaining your website, you’ll be far better off than the majority of WordPress users.
However, if you find that this is all too time consuming and you’d rather have your site managed for you by a team of experts, we can take care of all this and more for less than $5 per day!
One of our recent customers said this about her experience with our team:
If you have questions or need help with any of the things mentioned in their article, feel free to use the comments below or start a conversasion with our team using the chat option to the right =>.